Comments

A tool designed to encourage private owners and operators of critical infrastructure information to share with the federal government is the Protected Critical Infrastructure Information Program, created under the Critical Infrastructure Information Act of 2002. If private owners and operators want to voluntarily share their sensitive proprietary information with the federal government to be used for vulnerability assessments, risk assessments and to plan, prepare and respond to natural and man-made attacks, this information can be protected from civil litigation, regulatory requirements and from requests under the Freedom of Information Act and States' sunshine laws.

On behalf of the Advanced Cyber Security Center (www.acscenter.org), I am writing to provide feedback for the Department of Commerce’s notice, “Incentives To Adopt Improved Cybersecurity Practices”.

The Advanced Cyber Security Center (ACSC), submitted a response (below) to the National Institute of Standards and Technology (NIST) on April 8th highlighting the Center’s unique regionally-based, cross-sector threat sharing model. With leadership from senior representatives of ACSC member organizations, frontline IT security practitioners meet on a bi-weekly basis under an NDA (http://www.acscenter.org/initiatives/acsc_participation_agreement_august_2012.pdf) for a half-day to exchange threat indicators and strategies for responding to APT-style attacks.

We believe that this non-profit collaboration model provides the most effective strategy to establish private sector engagement with government to improve cybersecurity practices. The ACSC’s success in building trusted relationships among diverse private and public sector stakeholders has demonstrated the value in propagating a national network of federated threat-sharing collaborations based on the ACSC model. As described in our response, a matching program providing $1 to $1 in federal funding to match industry funding would incentivize the creation of four (4) regional entities in key areas of the country.

The ACSC and its members commend the important work undertaken by NIST to strengthen the nation’s cyber defense posture. We proposed in our April 9th letter to Director Gallagher that the Cyber Framework Team hold a workshop in the Boston area to be hosted by the ACSC. A roundtable with New England’s leading corporations, research universities and defense non-profits would build on this feedback by facilitating discussion with NIST representatives around effective strategies to bolster private-public cybersecurity coordination.

We look forward to future collaboration and would be pleased to answer questions.

Best regards,

William Guenther
Chairman of the Board of Directors, Advanced Cyber Security Center

On behalf of the Advanced Cyber Security Center (www.acscenter.org), I am writing to provide feedback for the recent RFI, “Developing a Framework to Improve Critical Infrastructure Cybersecurity”.

Recognizing the increasing urgency of improving the nation’s cyber defenses, President Obama highlighted the need for new approaches to address the most sophisticated cybersecurity threats. His Executive Order states that the “Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” As an already nationally-recognized model for cross-sector, public-private partnerships focused on the advanced cyber threats (http://www.acscenter.org/news-events/white_house_staff_calls_/) the Advanced Cyber Security Center (ACSC) believes that our innovative threat-sharing, R+D, and education initiatives could be replicated with federal support as critical collaboration vehicles.

The ACSC - a non-profit consortium based in Massachusetts and launched and supported by Mass Insight Global Partnerships - brings together industry, university, and government organizations to address the most sophisticated cybersecurity challenges impacting critical infrastructure. The attached proposal, as described below, urges the creation of 4 regional collaborations in key areas of the country to leverage ACSC-developed best practices and lessons learned.

In order to develop a comprehensive framework for reducing cyber risks to critical infrastructure, we must move beyond sector-by-sector threat sharing efforts. The ACSC has developed an effective new threat sharing model that fills an important gap in the commercial marketplace through cross-sector, in-person regional collaboration among a manageable-sized group of trusted individuals. The ultimate goal is to develop a federated network of similar organizations.

With leadership from senior representatives of member organizations, frontline IT security practitioners from member organizations meet on a bi-weekly basis under an NDA (http://www.acscenter.org/initiatives/acsc_participation_agreement_august_2012.pdf) for a half-day to exchange threat indicators and strategies for responding to APT-style attacks. Significant private funding supports these “Cyber Tuesday” meetings in addition to a secure cyber threat repository and bi-monthly Technical Exchange Meetings that convene frontline security analysts with CISO-level members.

In the “Current Risk Management Practices” section, NIST solicits feedback from private sector organizations on “standards, guidelines, best practices, and tools [used] to understand, measure, and manage risk at the management, operational, and technical levels”. By drawing from expertise and insights across financial services, defense, healthcare, biotech/pharma, high-tech, universities and state government, the ACSC plays a vital role in increasing members’ situational awareness and promoting visibility into the advanced threats targeting critical infrastructure.

In parallel with threat-sharing activities, the Center has initiated partnerships with six major Massachusetts research universities in Research and Education. Initial “prime the pump” R+D planning projects are building industry-university relationships and scoping work for larger-scale R+D partnerships to address federal government and industry priorities. UMass and MIT partners, with ACSC support, jointly filed a $1.6M NSF proposal, “Cybersecurity Risk Analysis based on Financial Engineering and Big-Data Analytics (CRAFA)” that was shaped by nine months of ACSC-facilitated research and planning efforts for two projects. (http://www.acscenter.org/resources/cybersecurity_risk_analysis_summary_(2).pdf)

The ACSC Education Working Group, chaired by David Luzzi, Executive Director of Northeastern University’s Strategic Security Initiative, has also initiated programs aimed at strengthening member universities’ cybersecurity curricula and building the talent pipeline for industry members. Harvard and MIT faculty are leading discussions to develop a model “two semester arc” curriculum that would address gaps in course offerings and provide shared teaching resources. Separately, a university-industry subcommittee led by Liberty Mutual’s CISO, John McKenna, is working to expand industry connections to leading undergraduate and graduate IT students for security-focused internships/co-op opportunities.

Recommendations

The Chief Information Security Officer (CISO) from a Fortune 500 ACSC member company articulated one of the “greatest challenges in improving cybersecurity practices across critical infrastructure” [Framework for Reducing Cyber Risks to Critical Infrastructure, Current Risk Management Practices, Question #7]: “There are plenty of security solutions available. The problem is that they all focus on one thing. To deal with today’s attackers, It’s imperative to look across the stack & connect the dots…This is hard. We need to figure out how to do it.“

In response to the “Request for Comment”, the ACSC proposes two primary recommendations to advance the nation’s cyber defense capabilities. Implementation of these two recommendations would significantly enhance private-public cybersecurity coordination and strengthen protection of critical infrastructure through cross-sector collaboration.

1) Matching grant program, as illustrated in the attached proposal, to incentivize industry players to invest in their own cyber defenses. Support for four regional ACSC entities in key regions of the country will provide a cross-industry focal point for cyber security information sharing and collaboration while supporting R&D and educational programs that promote technology innovation, drawing top students and producing talented graduates in the process. We have already engaged with groups in Texas, Colorado, Virginia, and the west coast that are in earlier stages of development and turned to the ACSC for guidance.

2) Elimination of legal impediments that restrict information sharing around the advanced cyber threats. In order to strengthen our collective defenses, new policy incentives are needed to expand public-private and cross-sector sharing while safeguarding proprietary and sensitive information.

I would be pleased to answer any questions and look forward to discussing next steps.

An important incentive that could help to promote the adoption of proven efforts to address cybersecurity vulnerabilities is lowered premiums for cybersecurity first-party insurance, that would distribute risk across the industry pool. The Framework could address this incentive as follows:

NIST could undertake in the framework responsibility for further refining actuarial information needed by providers

Attached please find Utilities Telecom Council (UTC) response to the Department of Commerce Notice of Inquiry regarding Cybersecurity Incentives. Please feel free to contact me if you have any questions.

To: Office of Policy Analysis and Development
National Telecommunications and Information Administration
Attention: Alfred Lee

Mr. Lee,

Honeywell International Inc. (Honeywell), through its Global Security division, is pleased to respond to the National Telecommunications and Information Administration’s inquiry regarding Incentives to Adopt Improved Cybersecurity Practices (Docket Number 130206115-3115-01). Our comments are contained in the attached file.

Please contact Steve Kostiw if you have any questions about this submission.

The American Petroleum Institute (API) welcomes the opportunity to respond to the National Institute of Standards and Technology and National Telecommunications and Information Administration’s Notice of Inquiry issued by the U.S. Department of Commerce in the Federal Register on March 28, 2013 to obtain answers to a series of questions on Incentives to Adopt Improved Cybersecurity Practices.

API is a national trade association that represents all segments of America’s oil and natural gas industry. Its more than 500 members include large integrated companies, exploration and production, refining, marketing, pipeline, and marine businesses, and service and supply firms. The industry also supports 9.2 million U.S. jobs and 7.7 percent of the U.S. economy, delivers $85 million a day in revenue to our government, and, since 2000, has invested over $2 trillion in U.S. capital projects to advance all forms of energy, including alternatives.

Oil and gas industry members face various cybersecurity risks ranging from unsophisticated, unskilled opportunistic hackers to highly skilled and resourced organized crime and nation-state entities seeking monetizable information and/or destruction of valued information technology and operational technology cyber systems. Incentives are not required for oil and natural gas companies to address these cyber risks. Most companies have integrated cyber risks into their corporate risk management systems and address them like any other business risk. Although there are items (like sharing actionable information regarding threats) that can facilitate companies management of cyber risks, the oil and natural gas industry does not “require” incentives to cause us to address these risks.

The attachment to this letter provides specific answers to each of the questions posed in the Notice of Inquiry. API looks forward to working with NIST to clarify and build upon these responses to support the voluntary adoption by critical infrastructure owners and operators the Cybersecurity Framework being developed by NIST.

Should you have any questions or would like to discuss further, please feel free to contact me at (202) 682-8598 or Retzsch@api.org.

Monsanto appreciates the opportunity to provide our comments on the important issue of cybersecurity. To that end, attached please find attached comments in response to federal register notice that was published on March 28, 2013 on “Incentives to Adopt Improved Cybersecurity Practices.”

Please find the attached submission for the Financial Services Sector Coordinating Council in response to the Department of Commerce’s Notice of Inquiry: Incentives to Adopt Improved Cybersecurity Practices.

Attached are VOXEM’s comments on the Department of Commerce Notice of Inquiry on Incentives to Adopt Improved Cybersecurity Practices, Docket Number 130206115-3115-01. If you have any questions, please contact me at joann@voxem.com.

The American Gas Association (AGA) is pleased to submit comments in response to the Request for Information issued by the U.S. Department of Commerce in the Federal Register (78 FR 18954, pages 18954 -18955) on March 28, 2013, seeking input on Incentives To Adopt Improved Cybersecurity Practices.

AGA, founded in 1918, represents more than 200 local energy companies that deliver clean natural gas throughout the United States. There are more than 71 million residential, commercial and industrial natural gas customers in the U.S., of which 92 percent — more than 65 million customers — receive their gas from AGA members. AGA is an advocate for local natural gas utility companies and provides a broad range of programs and services for member natural gas pipelines, marketers, gatherers, international gas companies and industry associates. Today, natural gas meets almost one-fourth of the United States’ energy needs. For more information, please visit www.aga.org.

AGA surveyed a number of its natural gas distribution and transmission utility companies, and their collective comments are incorporated in the attached document.

AGA and its members are eager to continue to engage with the U.S. Department of Commerce in the development of the Incentives To Adopt Improved Cybersecurity Practices.

Attached please find comments from representatives of Covington & Burling LLP and The Chertoff Group in response to the Notice of Inquiry on Incentives To Adopt Improved Cybersecurity Practices, Docket Number 130206115-3115-01.

Attached for your review are comments from the American Insurance Association in response to the Department of Commerce’s “Notice of Inquiry: Incentives To Adopt Improved Cybersecurity Practices,” Docket Number 130206115-3115-01.

Thank you for the opportunity to comment and if you have any questions, please contact me.

My original response to the earlier RFI addressed incentives for small businesses. I am respectfully submitting it again as a response to the NOI in the event that different teams handle the responses.

USTelecom submits the attached comments in response to the Department of Commerce’s proceeding on ‘Incentives to Adopt Improved Cybersecurity Practices’ (Docket Number 130206115–3115–01). Should you have any questions, please contact the undersigned.

Please find attached the comments of the Telecommunications Industry Association in response to the Department of Commerce’s Notice of Inquiry on ‘Incentives To Adopt Improved Cybersecurity Practices’ (Docket Number 130206115-3115-01). We urge you to contact us using the information below with any questions.

Attached is the response of the Microsoft Corporation to the Notice of Inquiry (NOI) issued by the United States Department of Commerce concerning incentives to adopt improved cybersecurity practices (docket number 130206115–3115–01).

We appreciate the opportunity to provide comments to Commerce and look forward to continued engagement on this important topic.

Find attached the comments of BSA | The Software Alliance in response to the March 29, 2013, notice by the National Institute of Standards and Technology and the National Telecommunications and Information Administration, “Incentives To Adopt Improved Cybersecurity Practices.”

Please find attached Los Angeles Department of Water and Power’s response to the Notice of Inquiry issued by the National Telecommunications and Information Administration, and published in the Federal Register on March 28, 2013.

I am attaching the Internet Security Alliance’s (ISA’s) response to the March 28th Dept. of Commerce NOI on Cyber Incentives. The ISA submission consists of a response document and 4 separately attached appendices labeled Appendices A-D, all of which are attached to this email.

Please find attached comments regarding Notice of Inquiry Response. The hardcopy will follow by Federal Express delivery for tomorrow. Please contact us if you have any questions or concerns. Thank you.

Attached is a letter providing comments in response to the Notice of Inquiry by the National Institute of Standards and Technology and the National Telecommunications and Information Administration, dated March 28, 2013, regarding Incentives To Adopt Improved Cybersecurity Practices.